Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Cookie Does Not Contain The "secure" Attribute on ltm vip

Girishb401
Nimbostratus
Nimbostratus

‎30-Mar-2021 10:09

Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)

 

Please refer the list as below 

1.Cookie Does Not Contain The "secure" Attribute

2.Path-Based Vulnerability

3. Session Cookie Does Not Contain the "Secure" Attribute

4.Slow HTTP POST vulnerability

 

 

I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".

 

K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile

 

If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me

 

Kindly help me to fix this issue

 

Great thanks,

Girish

Labels:
0 Kudos
3 REPLIES 3

Lidev
MVP
MVP

‎31-Mar-2021 00:48

Hi,

If you don't use cookie persistence profile, you need to configure the BIG-IP ASM to use secure and HttpOnly cookie flag.

Check in your ASM Policy configuration, Security ›› Application Security : Headers : Cookies List ›› Edit Cookie

0691T00000C2dOOQAZ.png

0 Kudos

Girishb401
Nimbostratus
Nimbostratus

‎31-Mar-2021 01:28

OK..I am not sure about that we allowed to c provision a BIG-IP ASM (new) on F5 LB.

 

And I also checked with F5 TAC engineer and he suggested as below

 

"The security scan will test the traffic all the way through the virtual server, to the pool member. Since the BIG-IP virtual server is not generating the cookie, it must be the pool member server that is generating it. Therefore, the Qualys scan would be indicating that the vulnerable component is the server, NOT the BIG-IP virtual server."

 

So Finally he is pointing something to check on backend server.

 

so I am a bit confusion what decision need to take on this

 

0 Kudos

Lidev
MVP
MVP

‎31-Mar-2021 01:37

Indeed, if you don't use the ASM module, you have to check this on the backend server, look at the configured Set-Cookie header (Secure; HttpOnly).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

 

Regards

0 Kudos
Copyright © 2023 Khoros, LLC